
.avif)
Welcome to our blog.
.jpg)
Aikido acquires Root to secure the supply chain
Aikido has acquired Root to secure the software supply chain, fixing open source vulnerabilities in the version you already run, no upgrade required. Critical fixes go back to the community, free.

Packagist is now protected by Aikido Intel and other updates to the PHP registry
Aikido's malware feed now blocks flagged package versions in Composer by default, for everyone installing from Packagist.org, with nothing to switch on. Over the past year Packagist and Composer have been closing whole classes of supply chain attack at the registry level. Here's what they shipped, and why every registry should be working this way.
2026 State of AI in Pentesting
Our latest report captures the perspectives of 400 CISOs, CTOs, and senior engineering leaders across Europe and the US. It explores how AI is changing penetration testing, why traditional approaches are struggling to keep pace with modern software delivery, and what security leaders want from the next generation of penetration testing.

Vulnerabilities & Threats
Cut through the noise with real-world CVE breakdowns, malware analysis, exploits, and emerging risks.
Customer Stories
See how teams like yours are using Aikido to simplify security and ship with confidence.
It's time to treat browser extensions like supply chain attack vectors
The Vercel breach followed a pattern the security industry knows well, where third-party code is implicitly trusted, then compromised upstream. We have a framework for that. We just haven't applied it to browser extensions yet. (Spoiler: We do this for software dependencies)
Is Shai-Hulud Back? Compromised Bitwarden CLI Contains a Self-Propagating npm Worm
Malware found in @bitwarden/cli v2026.4.0 steals SSH keys, cloud secrets, and AI coding tool credentials, then spreads through victims' own npm packages. Inside: a worm calling itself "Shai-Hulud: The Third Coming."
Multiple Cross-Site Scripting (XSS) Vulnerabilities in Mailcow
Aikido's AI pentesting agents found three XSS vulnerabilities in Mailcow, a widely used self-hosted email server. The most severe allowed unauthenticated attackers to inject a payload into Autodiscover logs that would execute when an admin viewed them, enabling full account takeover. All three have been fixed since version 2026-03b.
Axios CVE-2026-40175: a critical bug that’s… not exploitable
Axios CVE-2026-40175 is rated critical, but in real Node.js environments it’s not practically exploitable. Here’s why.
Bug bounty isn’t dead, but the old model is breaking
Bug bounty is hitting a breaking point as AI overwhelms programs, pushing a shift toward more sustainable, quality-focused security models.
Aikido Attack finds multiple 0-days in Hoppscotch
Aikido Attack identified three high-severity vulnerabilities in Hoppscotch: an open redirect leading to account takeover, stored XSS, and a broken access control issue allowing cross-team request injection.
fast-draft Open VSX Extension Compromised by BlokTrooper
A popular Open VSX extension was compromised and used to deploy a RAT and infostealer from attacker-controlled infrastructure. Its version history tells the real story, with malicious releases appearing between clean ones.
Glassworm Strikes Popular React Native Phone Number Packages
Two popular React Native npm packages were backdoored by suspected Glassworm actors and used to deliver multi-stage malware. Here's what the malware does and what to look for.
How Security Teams Fight Back Against AI-Powered Hackers
A single hacker and a Claude subscription just took down nine Mexican government agencies. AI has handed attackers a serious power upgrade. Security teams need a new playbook.
How does AI pentesting work with compliance?
AI pentesting is being accepted for SOC 2, ISO 27001, HIPAA, and PCI DSS. Here's what auditors actually look for, and where the real limitations are.
Persistent XSS/RCE using WebSockets in Storybook’s dev server
Aikido Attack found a WebSocket hijacking vulnerability in Storybook's dev server that can lead to persistent XSS, remote code execution, and, in the worst case, supply chain compromise. We walk through how an attacker can exploit this without any user interaction at all, and a developer just has to visit the wrong website while to run into this attack.
Aikido acquires Root to secure the supply chain
Aikido has acquired Root to secure the software supply chain, fixing open source vulnerabilities in the version you already run, no upgrade required. Critical fixes go back to the community, free.
Multiple JetBrains IDE plugins caught stealing AI keys
A coordinated campaign of at least 15 JetBrains IDE plugins, published under seven vendor accounts, exfiltrates the AI provider API key you paste into their settings.
10 year old critical vulnerability in phpBB affecting tens of millions of users across thousands of forums
Aikido Security discovered a critical unauthenticated authentication bypass in phpBB affecting tens of millions of users. A single HTTP request is all it takes to take over any account — a vulnerability that's been sitting in the codebase since 2014.
5 Socket security alternatives and why they are better
Socket built its name on malware detection. But detection speed alone is no longer the whole story. Here's how Aikido and four other alternatives compare on supply chain security, reachability analysis, licensing, and more.
A practical CTO security checklist to be Mythos-ready
A practical checklist for SaaS CTOs navigating a world with Mythos and agentic AI threats. Built around the defender's advantage: you have context attackers have to work to get. Covers the controls, practices, and operational habits that determine whether your team finds and fixes issues before someone else does.
Get secure now
Secure your code, cloud, and runtime in one central system.
Find and fix vulnerabilities fast automatically.


